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CROSS-REFERENCE TO RELATED APPLICATIONS 
[0001] This application claims the benefit of provisional U.S. application No. 

60/415437, filed on October 2, 2002, the entire contents of which are hereby incorporated 
by reference as if fully disclosed herein. 

BACKGROUND OF THE INVENTION 

1. Field of the invention: 

[0002] The present invention relates to a network defense system. More 

specifically, it relates to a deployable network defense system that monitors both network 
and operational activities, and predicts the mission impact of alterations and disruptions 
of networked resources. 

2. Description of the Related Art : 

[0003] In both the commercial and military domains, systems are becoming 

increasingly networked. The power of networking is apparent through the potential for 
increased quantity and quality of information available for decision-makers and more 
efficient use of resources. At the same time, the increased complexity of networked 
approaches leads to several pressing needs. Some of these needs include robust systems, 
both to internal faults and to attacks from outside the network, as well as analysis to 
understand the impact of the system's degradation to its overall mission effectiveness. 

SUMMARY OF THE INVENTION 
[0004] The Mission Centric Network Defense System (MCNDS) is related to a 

deployable network defense system that monitors network activities, generates and 
maintains situational awareness of operational activities, and uses this joint situational 
awareness of networked and operational activities to predict the mission impact of 
alterations and disruptions of networked resources. The MCNDS uses predictive 
capability to rank defensive information operation (IO) courses-of-action (COAs) as well 
as interpret network alarms and intrusion detections in terms of expected operational 
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mission impact. 10 and operational commanders may use MCNDS to monitor and 
understand how their networks are supporting various missions and how actions taken on 
their networks impact their missions. 

[0005] It is an object of the invention disclosed herein to provide dynamic, 

constantly maintained awareness of the actual current status of both the network and the 
mission. 

[0006] It is a further object of the invention disclosed herein to use awareness of 

the actual current state of both the network and the mission to predict the mission impact 
of alterations and disruptions of networked resources, in general, and to provide mission 
relevant correlations of network alarms and intrusion detections in particular. 

[0007] It is yet another object of the invention disclosed herein to predict the 

mission impact of network perturbations in general, and in one embodiment particular, to 
prioritize defensive information operation (IO) courses-of-action (CPAs) with respect to 
expected impact on operational effectiveness. 

[0008] These and other objects and advantages of the present invention will be 

fully apparent from the following description, when taken in connection with the annexed 
drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 
[0009] The teachings of the present invention can be readily understood by 

considering the following detailed description in conjunction with the accompanying 
drawings, in which: 

Fig. 1 is a block diagram depicting an embodiment of the functional 
architecture of the MCNDS; 

Fig. 2 is a graph showing an example mission state probability over time; 
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Fig. 3 depicts a method of determining mission sensitivity and performing 
mission impact prediction; 

Fig. 4 depicts an example of a deployed force architecture with an Air 
Tasking Order (ATO) generation mission; and 

Fig 5. is a graph illustrating an example set of sensitivity curves over time 
for the ATO generation mission. 

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS 
[0010] Fig. 1 depicts an embodiment for the MCNDS. Interface sensors 102 at 

select network node(s) can provide both network and mission data. Both network health 
and the operational situation being supported by the network are monitored by extracting 
relevant information from packet and traffic patterns. Relevant information can include 
packet sources, destinations and ports, but can also include any other information deemed 
relevant to the network or mission. In this case, the packet flows may be scanned as an 
unstructured data stream. 

[0011] Mission event detection 104 is performed by combining the information 

from the interface sensors. Once the mission events are detected, they are combined with 
knowledge of the mission types, and missions can be correlated and tracked 106. 
Mission tracking in the current context means determining which missions are active and 
the state of each mission. For this, a set of mission types is assumed (e.g. Call-For-Fire, 
TCS, Ship-To-Objective-Maneuver, Air Defense). Missions may be modeled using 
stochastic models (e.g., Hidden Markov Models, HMMs), that is, processes that have 
both stochastic transition behavior and stochastic output maps. Given the observed event 
sequence, the process of determining which mission types, with high probability, would 
most likely have generated the event may be performed inductively. For Hidden Markov 
Models, a fast algorithm that successful implements the induction is known as the 
"forward algorithm". 

[0012] The forward algorithm can process the sequence of observed variables 

o x ,o 2 ,. . using the model for each mission type k given by the data 



3 



Docket Number 1881-SPL 



M k = (A k y C k 9 x k ). These are the state transition matrix, the observation matrix, and the 
initial probability vector for mission k . The forward variable at time t for mission k is 
denoted by a) , and is the joint probability of a given sequence of observations and a 
particular state given model M k . The i-th component is given by 

a,' (i) = 1*1(0, =o 15 0 2 = o 2 ,...,0, =o„s, = /|M*), 
and the inductive procedure for computing a* is as follows: 

a k =n 0 (i)c* ii9 Vi 



f 



where a\ is the y-th entry of A k and c* +f| . is the o M9 i* entry of C k . Once the forward 

variable has been computed, we have ?r(0 { = o l9 0 2 = o 29 .\ .,O t = o t \ M k ) = ^a k (j) 9 

J 

where t is the terminal time, and this indicates the probability that mission k is active 
given the sequence of observed variables. A primary architectural product that has 
successfully been shown to allow effective mission tracking using HMMs is an 
operational sequence diagram (OSD) that describes which operational enterprise systems 
are communicating with each other, when, and in what order. 

[0013] Sensitivity analysis 108 is then performed. The impact of network 

perturbations, e.g. intrusion detections 1 10, on the mission maybe estimated, and 
correlated intrusions and alarms 116 can be determined. Mission sensitivity to various 
network perturbations may also be determined. One particularly important type of 
network perturbation is the implementation of an alternative network-operations COA 
1 12. In this case, COAs may be prioritized 1 14 according to their contribution to overall 
mission performance. 

[0014] Fig. 2 depicts an approach to determining the mission state. In this 

example, the mission states are categorized as detect, decide, engage, and assess. A 
sample realization of observed events is generated and passed into the Hidden Markov 
Model (HMM) tracker. The probability vectors generated from the tracker vary over 
time and are shown in Fig. 2. During operations, the state probability vector for the 
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current time is passed to the sensitivity analyzer as the initial condition used to start its 
analysis. 

[0015] Fig. 3 depicts a method of determining mission sensitivity and performing 

mission impact prediction. The inputs are the mathematical objects provided by the 
network operational awareness function of the MCNDS. Given a mathematical model 
such as an HMM, the basic approach to sensitivity analysis is shown. The process is to 
take the state of the system at time increment k (300) and to produce two descendents. 
The first descendent 312 is the nominal version for time increment k+1, and the second 
descendent 314 is a perturbed (due to attack, failure, or reallocation) version for time 
increment k+L Both versions are then propagated forward in time, using nominal 
dynamics models out to some computation horizon, N. The difference between the 
overall mission effectiveness along both paths, the nominal path 310 and the perturbed 
path 320, is computed resulting in a sensitivity estimate. The estimate of mission 
sensitivity is with respect to the specific perturbation and the specific time at which the 
perturbation is injected into the path. By varying the system that is perturbed and the 
time at which the perturbation occurs, a more complete estimate of mission sensitivity is 
constructed. 

[0016] Fig. 4 depicts an example embodiment of a deployed force that must deal 

with IO attacks during a specific mission, Air Tasking Order generation. Coordination is 
required between the ships 402, the JTF Commander 404, the Air Operations Center 410, 
and the Wing Operations Center 408. Communications networks included MILNET 410 
and internet 412. Compromises were considered in three components: an email server, a 
planning database server, and a domain name server. 

[0017] Performing sensitivity analysis on the ATO generation mission results in 

the curves shown in Fig. 5. As can be easily seen in Fig. 5, mission sensitivity can vary . 
greatly depending on which network components are compromised, and at what point in 
time they are impacted. This underscores the need to understand the mission sensitivities 
in order to make appropriate decisions and undertake the best courses of action. 
[0018] In one embodiment of the present invention in a Naval scenario, the Naval 

operations (N3) user at the Tactical Flag Command Center (TFCC) will have available 
the MCNDS Command and Control (C2) Module to monitor which operational 
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alternatives are at risk due to network perturbations. At the Network Operations Center 
(NOC) Naval networking users will have in the present embodiment the MCNDS C2 
module for monitoring the network and planning network operations while interacting 
with the Naval Network Warfare Command (NNWC) and users at a Department of 
Defense Regional Network Operations and Security Center (RNOSC). An additional 
component of coordination may come from the Fleet Information Warfare Center 
(FIWC) to the NOC and the battlegroup N3. A team of users at FIWC will have in the 
present embodiment the MCNDS C2 module for monitoring, prioritizing network 
operation COIs, and planning the execution of network operations. MCNDS C2 modules 
will interface to collaboration tools to provide instant access between the battlegroup 
information warfare commander (IWC) and electronic warfare officer (EWO), and 
MCNDS users at the FIWC, NOC, NNWC and RNOSC. 
[0019] Although the method according to the present invention has been 

described in the foregoing specification with considerable details, it is to be understood 
that modifications may be made to the invention which do not exceed the scope of the 
appended claims and modified forms of the present invention done by others skilled in 
the art to which the invention pertains will be considered infringements of this invention 
when those modified forms fall within the claimed scope of this invention. 
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